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Abstract 

In year 2000, an efficient hierarchical chaotic image encryption (HCIE) algorithm was proposed, which divides a plain-image 
of size MxN with T possible value levels into K blocks of the same size and then operates position permutation on two levels: 
intra-block and inter-block. As a typical position permutation-only encryption algorithm, it has received intensive attention. 
The present paper analyzes specific security performance of HCIE against ciphertext-only attack and known/chosen-plaintext 
attack. It is found that only 0(f\og T (M ■ N / K)~\) known/chosen plain-images are sufficient to achieve a good performance, and 
the computational complexity is 0(M ■ N ■ [log r (M ■ N/K)~\), which effectively demonstrates that hierarchical permutation- 
only image encryption algorithms are less secure than normal (i.e., non-hierarchical) ones. Detailed experiment results are 
given to verify the feasibility of the known-plaintext attack. In addition, it is pointed out that the security of HCIE against 
ciphertext-only attack was much overestimated. 
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1. Introduction 

With the increasing transmission speeds of 
wired/wireless networks and popularization of image 
capturing devices and cloud storage services, image data 
are transmitted over open networks more and more fre¬ 
quently. This makes security of image data become more 
and more important. The public concern of it becomes 
serious as news about the illegal online leak of personal 
photos of some celebrities was released. As a chaotic 
system owns some similar properties as that of modern 
encryption schemes, it has been intensively studied as an 
alternative approach for designing secure and efficient 
encryption schemes [1, 2, 3]. The main idea and principle 
of applying chaos theory to protecting images can be 
traced back to 1986 [4], which demonstrates the stretching 
effect of a chaotic map on a painting of Henri Poincare, a 
founder of modern chaos theory. 

The simplest and most efficient method for protecting 
multimedia data is permuting the positions of their spa¬ 
tial pixels [5] or frequency coefficients [6]. In the litera¬ 
ture, some synonyms of permutation, transposition, shuffle, 
scramble [6], swap and shift, are used. Security scrutiny 
on some specific permutation-only encryption algorithms 
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against known/chosen-plaintext attacks were previously de¬ 
veloped [7, 8]. In [9], a ciphertext-only attack on a spe¬ 
cially simple permutation-only encryption algorithm was 
proposed utilizing correlation redundancy remaining in the 
cipher-image. No matter how the permutation relation¬ 
ships are generated and what the permutation object is, any 
permutation-only encryption algorithm can always be rep¬ 
resented by a permutation relationship matrix, whose entry 
stores the corresponding permuted location in the cipher- 
text [10]. The security of permutation-only encryption al¬ 
gorithm relies on its real permutation domain, in which any 
element in the permutation object can be permuted inde¬ 
pendently. As for a permutation domain of size MxN 
with T possible value levels, it is estimated that the re¬ 
quired number of known/chosen-plaintexts for an efficient 
plaintext attack is 0(f\og T (M ■ N)~\), where [Or] denotes the 
ceiling function. An upper bound of the attack complexity 
is also derived therein to be 0(n ■ (M ■ N ) 2 ), where n is the 
number of known/chosen plain-images [10]. In [11], the 
computational complexity of the attack is further reduced 
to 0(n ■ (M ■ A0) by replacing the set intersection operations 
of quadratic complexity with linear element access opera¬ 
tions. Even so, all kinds of permutation operations are still 
being used in multimedia protection today [12, 13, 14, 15]. 

In [16], a typical example of permutation-only image en¬ 
cryption algorithms, called HCIE (hierarchical chaotic im¬ 
age encryption), was proposed. Although security perfor- 
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mance of general permutation-only image encryption algo¬ 
rithms against plaintext attack has been quantitatively an¬ 
alyzed, specific security performance of HCIE is still not 
evaluated. The core of HCIE is a permutation function 
composed of rotation operations of four directions, origi¬ 
nates from an intellectual toy, Rubik’s Cube [17]. In [16], 
the authors claimed about the security property of HCIE as 
follows: “By way of collecting some original images and 
their encryption results or collecting some specified images 
and their corresponding encryption results, it is still diffi¬ 
cult for the cryptanalysts to decrypt an encrypted image 
correctly because the permutation relationship is different 
for each image.” In this paper, we will demonstrate that the 
claim on the robustness of HCIE against known/chosen- 
plaintext attack is groundless. Further more, we find that 
the hierarchical encryption structure suggested in HCIE 
does not provide any higher security against known/chosen- 
plaintext attack, but actually make the overall security even 
weaker. In addition, we find the capability of HCIE against 
ciphertext-only attack was much over-estimated. 

The rest of this paper is organized as follows. The algo¬ 
rithm HCIE is briefly introduced in Sec. 2. Detailed crypt¬ 
analysis on HCIE is provided in Sec. 3, with some experi¬ 
mental results. The last section concludes the paper. 

2. The hierarchical chaotic image encryption algorithm 

(HCIE) 

HCIE is a two-level hierarchical permutation-only image 
encryption algorithm, in which all involved permutation 
relationships are defined by pseudo-random combinations 
of four rotation mappings with pseudo-random parameters. 
For an image, / = [/(/, y)] ; v/x,v. the four mapping opera¬ 
tions are described as follows, where p < min(M, N ) holds 
for each mapping. 

Definition 1. The mapping f = ROLR' b (f) (0 < i < M - 
1) is defined to rotate the i-th row of f, in the left (when 
b — 0) or right (when b — 1) direction, by p pixels. 

Definition 2. The mapping f = ROUD J h P (f) (0 < j < 
N — 1) is defined to rotate the j-th column of f, in the up 
(when b — 0) or down (when b — 1) direction, by p pixels. 

Definition 3. The mapping f — ROUR k f p (/) (0 < k < 
M + N - 2) is defined to rotate all pixels satisfying i + j — k, 
in the lower-left (when b — 0) or upper-right (when b — 1) 
direction, by p pixels. 

Definition 4. The mapping f = ROUL b P (f ) (1 — N < l < 
M — 1 ) is defined to rotate all pixels satisfying i - j — l, 
in the upper-left (when b — 0) or lower-right (when b — 1) 
direction, by p pixels. 


Given a pseudo-random bit sequence {/?(/)} starting from 
to, the Sub_HCIE function in Algorithm 1 is used to permute 
an Sm x Sn image f su b to become another Sm xS n image 
f b , where (a, ft, y, no) are control parameters. One can see 
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function SuB_HCIE(/ s „i, {b(i)}, no, S m, 5 n) 
for ite <— 0, no do 

q <— /o + (3 S m 3" 35 n — 2.) • ite 
p <— a + j8 • b(q + 0) + y ■ b(q + 1) 
for i <— 0, (S m — 1) do 

f'sub ■ 

end for 

for j <— 0, (S N - 1) do 

fL - R OUD J b P j +q+sM) (f' uh ) 

end for 

for k <— 0, (S m + Sn ~ 2) do 


ROLR' b p i+q) (f sub ) 


nk.P 


b(k+q+S m+S n)^ sub 


f'ub - ROUR 
end for 

for/* *- (1 -S N ),(S M - Ddo 


(ID 


fsub ^ Rouu 

end for 
end for 

i o *o + (35 m + 35 jv 

return (f' uh ,k) 
end function 


Ip 


-iffsub) 


b{l-\-q-\-'2.‘S a /+ 3 ‘S n — 2 )''*' sub 


■ 2) • no 


that the Sub_HCIE function actually defines an 5 m xS v per¬ 
mutation relationship matrix pseudo-randomly controlled 
by (35 m + 35jv - 2) • no bits in the bit sequence {b(i)\ 
from /(). Based on this function, for an M x N image 
/ = [/(/, j)]MxN, the four basic parts of HCIE can be briefly 
described as follows. 

• The secret key is the initial condition x(0) and the con¬ 
trol parameter p of the chaotic Logistic map, f(x) — 
px( 1 - x) [18], which is realized in L-bit finite preci¬ 
sion. 

• Some public parameters: 5 m, S n, a, f3, y and no, 
where xfM < S m ^ M, M mod 5 m — 0, VN < S n < 
N, and N mod 5^ = 0. 

Note: Although (S m,SN, a,/3,y,no) can all be in¬ 
cluded in the secret key, they are not suitable for such 
a use due to the following reasons: 1) 5 m^Sn tire re¬ 
lated to M,N; 2) a,f,y are related to Sm,Sn (and 
then related to M,N, too); 3) Sm,Sn can be easily 
guessed from the mosaic effect of the cipher-image; 4) 
iteration number no cannot be too large to achieve an 
acceptable encryption speed. 

• The initialization procedure of generating the bit se¬ 
quence used in the Sub_HCIE function: run the Lo- 
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gistic map starting from x(0) to generate a chaotic se¬ 
quence, and then extract 8 bits following 

the decimal point of each chaotic state x(i) to yield 
a bit sequence {b(i)}f^f ', where Lb = (l + ^ ■ ■ 

(3 S M + 3S n ~ 2) ■ no\ finally, set z () = 0 to let the 
Sub_HCIE function run starting from b( 0). 

• The two-level hierarchical encryption procedure: 

1) The high-level encryption - permuting image 
blocks: divide the plain-image / into blocks of size 
5 m x 5 pi, which compose an jp x ^ block-image 

p f = [ P A 1 ’ ■/')] X ^L ’ 

where P/(i , j) is the block of size 5 m x 5 n at the po¬ 
sition (z, j). Then, permute the positions of all blocks 
with the Sub_HCIE function in the following way: a) 
create a pseudo-image f p = [f p (i, j)]s M xs N contain¬ 
ing non-zero indices of all image blocks in 

Pf and (s m ■ Sn ~ ■ yy ) zero-elements, and per¬ 

mute f p with the SubJHCIE function to get a shuf¬ 
fled pseudo-image f *; b) generate a permuted block- 
image Pp from Pf (i.e., permute / blockwise) using 
the shuffled indices contained in f*. The above high- 
level encryption procedure can be considered as a per- 

/;=Sub_HCIE(/ p ) 

mutation of the block-image: Pf -> Pf, , 

where f* actually corresponds to an ^ x ^ permu¬ 
tation relationship matrix. 

2) The low-level encryption - permuting pixels in ev¬ 
ery image block one by one: for i — 0 ~ - l) and 

j = 0 ~ — l), call the Sub_HCIE function to per¬ 

mute each block Pp(i,j ) so as to get the correspond¬ 
ing block of the cipher-image f: 

P f (i,j) = Sub HCIE(p / .(z,j)). 

As normalized in [10], any permutation-only encryp¬ 
tion algorithm exerting on an object of size H xW can be 
represented with a permutation relationship matrix of size 
H xW. denoted by 

W = [w(z, j) = (*',/) eix W] Hxlv , (1) 

where H = [0, •••,//- 1], W = [0, • • • , W - 1], and 
w(i\,j\) + wlf 2 ,ji) for any (zj, ji) + (hji)- 

In HCIE, a total of (l + ^ permutation relation¬ 
ship matrices are involved: 1) one high-level permutation 
relationship matrix of size X -P-: 2) (-¥- ■ -A-) low-level 
permutation relationship matrices of size S mxSn- With the 
above-mentioned representation of a permutation-only im¬ 
age encryption algorithm, the secret key (p, x(0)) of HCIE 


is equivalent to the (l + ^ permutation relationship 
matrices for plain-images of the same size. To facilitate 
the following discussions, we use Wo = [wo(z, j)] jl x jl 

S M S N 

to denote the high-level permutation relationship matrix, 

. . _M__ i . . 

and use \Wa v " ' Sn to denote the (^X^) low- 

\ v ’ J, li=0,j=0 \s m s N j 

level permutation relationship matrices, where Wfj) = 

hiJ)V’f)] SMXS „- Apparently ’ the ( ! + t ■ B Po¬ 
tation relationship matrices can be easily transformed to an 
equivalent permutation relationship matrix of size M x N, 
W = [W(Z, j)] M xN- 

When Sm = M and S n = N (or Sm = Sn = 1), the 
two hierarchical encryption levels merge into a single one; 
the(l + permutation relationship matrices become 

one permutation relationship matrix of size M x N, a typi¬ 
cal permutation-only image encryption algorithm in which 
each pixel can be independently permuted to any other po¬ 
sition in the whole image by a single M x N permutation 
relationship matrix W. 

3. Cryptanalysis of HCIE 

3.1. Ciphertext-only attack 

In [16], it was claimed that the complexity of brute- 
force attacks to HCIE is o(2 Lb ), since there are L h = 
(l + ¥- ■ £-) ■ (3 Sm + 35 n - 2) • no secret chaotic bits in 

[KO^o 1 that are unknown to the attackers. However, this 
statement is not true due to the following fact: the Lb bits 
are uniquely determined by the secret key, i.e., the initial 
condition x(0) and the control parameter p, which have only 
2 L secret bits. This means that there are only 2 1L different 
chaotic bit sequences. 

Now, let us study the real complexity of bmte-force at¬ 
tacks. For each pair of guessed values of x(0) and p, the 
following operations are needed: 

• generating the chaotic bit sequence: there are Lb 1 8 
chaotic iterations; 

• creating the pseudo-image f p : the complexity is Sm ■ 
Sn, 

• shuffling the pseudo-image f p : running the Sub_HCIE 
function once; 

• generating Pp: the complexity is M ■ N; 

• shuffling the partition image Pp: running the 

Sub_HCIE function for (¥- ■ times. 

Assume that the computing complexity of the SubJICIE 
function is (45 u + 45jv) • no. Then, the total com¬ 
plexity of brute-force attacks to HCIE can be estimated 
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to be O ( 2 2l ■ (Lb + M ■ N)), which is much smaller than 

0 (2 , * /S ) when Lb is not too small. Additionally, consider¬ 
ing the fact that the Logistic map can exhibit a sufficiently 
strong chaotic behavior only when p is close to 4 [19], the 
above complexity should be even smaller. This analysis 
shows that the security of HCIE was much over-estimated 
by the authors in [ 20 , 16], for brute-force attacks. 

Observing the hierarchical permutation structure of 
HCIE, one can see that the histogram of each S m~xS n block 
in the plain-image will keep unchanged during the whole 
permutation process of HCIE. Due to the strong correla¬ 
tion between neighbouring pixels (and even blocks) of nat¬ 
ural images (See [21, Fig. 5]), there exists some correlation 
between histograms of neighbouring blocks. So, one may 
determine the relative locations of some blocks in cipher- 
image by comparing similarity degrees of histograms for 
every pair of cipher-blocks [22, 23], 

3.2. The known-plaintext attack 

Since HCIE is a permutation-only image encryption al¬ 
gorithm, given n known plain-images f\ ~ f, of size MxN 
and the corresponding cipher-images f[ ~ f' n , one can sim¬ 
ply call the Get_Perimtation_Matrix function defined in 
[10, Sec. 3.1] or its enhanced version in [11, Sec. 4] with 
the input parameter (f\ ~ f„,f[ ~ f/,M,N) to estimate an 
MxN permutation relationship matrix W, which is equiv¬ 
alent to the (l + ■ 5 ^) smaller permutation relationship 

matrices. However, if the hierarchical structure of HCIE is 
considered, the known-plaintext attack may be quicker and 
the estimation will be more effective. Thus, the following 
hierarchical procedure of known-plaintext attacks to HCIE 
is suggested 1 : 

• Reconstruct the high-level permutation relationship 
matrix Wo: 1) for i = 0 ~ ( j f - - l) and j — 0 ~ 

(ir ~~ ^) : ca l cu l ate the mean values of the 2 n blocks 
Pffi,j) ~ Pf,(i,j), Pf'fUj) ~ Pfiihj) and denote 


■p- x S- as follows: Tm = 1 ~ n, 

b M •JN J 


and 


Pf» = 

S M S N 

p f :„ = , 


1 For HCIE, the permutation relationship matrices also depend on the 
values of the public parameters. To simplify the following description, 
without loss of generality, it is assumed that all public parameters are fixed 
for all known plain-images. 


and call the Get_Permutation_Matrix function with 
the input parameters 


- - - M N 

P fl ~ Pfit ’ Pf[ ~ P f'n > a > 

Z> M j# 


to get an estimated permutation relationship ma¬ 
trix Wo = [woO,/)] jl x jl and its inverse W 0 ' = 


KM 


s M s N 


M „ JV • 
% 


3) Reconstruct the ■ 5 “) low-level permutation rela- 

1 KK - 1 

tionship matrices ^ : 

• for * = 0 ~ (£ - ! ) and J = 0 ~ (£ - O- 

call the Get_Permutation_Matrix function with the 
input parameters (Pf,(i, j) ~ Pf (i, j), Pr(i ', /') ~ 
Pf : (i',j'),S M -S N ), where (/',/) = W Q (iJ ), to de¬ 
termine an estimated permutation relationship matrix 
W(ij) and its inverse W,” 


-1 

' («./)■ 


With the (1 + M- ■ fP) inverse matrices W ,, 1 and 

\ ^ M N / u 

_ _M_-\ N 1 

{K)},Mo s ' , one can decrypt a new cipher-image f n+[ 
with Dermutation function given in Algorithm 2 to get an 
estimated plain-image f* +l : 


Algorithm 2 The function Dermutation 
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function Dermutation(W 0 l , ._ Q Sw , f' i+l ) 

for i <— 0, (M/S m) - 1 do 
for j <- 0, (N/S N ) - 1 do 
ftemp P f ;Jw Q ( i,j )) 
for ii «— 0, S M ~ 1 do 
for jj <— 0,5 n ~ 1 d° 

ftemp^L jj) «- ftemp K ^(U, jj)) 
PfL^Lj) <- ftemp 

end for 
end for 
end for 
end for 
return f* +l 
end function 

In fact, in the above procedure, any measure keeping in- 


S m x S n block. Although the mean value is less precise 
than the histogram, it works well in most cases and is effec¬ 
tive to reduce the time complexity. When T and S m x S v 
are both very small, the efficiency of the mean vafue will 
become low, in this case the histogram or the array of all 
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pixel values can be used as a replacement. As for an image 
of size H xW and T possible value levels, the number of 
different histogram is 


n h 



(4) 


As Hi, is a huge number for a non-tiny image and histogram 
is sensitive to the change of pixel value, it is easier to get 
the high-level permutation relationship matrix Wi, than the 
low-level permutation relationship matrices. 

Finally, let us see whether the hierarchical structure used 
in HCIE is helpful for enhancing the security against the 
known-plaintext attack to the common permutation image 
ciphers. As discussed in [10, Sec. 3.1], n > flog- r (2 (M-N- 
1 ))] known plain-images are needed to achieve an accept¬ 
able breaking performance. Since the hierarchical structure 
makes it possible for an attacker to work on permutation 
relationship matrices of size S m x S n or X (both 
smaller than M x N ), it is obvious that for HCIE the num¬ 
ber of required known plain-images will be smaller than 
[log r (2(M ■ N - 1))]. As the permutation relationship ma¬ 
trix Wo can be recovered in a very high probability with 
one or two known plain-images, one can conclude as fol¬ 
lows: the smaller the (S m x S n) is, the smaller the n is. 
Also, the attack complexity will become lower, since the 
number of used plaintexts is reduced. In this sense, hierar¬ 
chical permutation-only image ciphers are less secure than 
non-hierarchical ones, which discourages the use of HCIE. 


3.3. Experimental results on known-plaintext attack 

To verify the decryption performance of the above- 
discussed known-plaintext attack to HCIE, some experi¬ 
ments are performed using the six 256 x 256 test images 
with 256 gray scales shown in Fig. 1. Assume that the first 
n = 1 ~ 5 test images are known to an attacker, the cipher- 
image of the last test image is decrypted with the estimated 
permutation relationship matrices, to evaluate the breaking 
performance. 

In the experiments, three different configurations of 
HCIE are used: Sm = Sn = 256, Sm = Sn = 32, 
S m — Sn = 16. As mentioned above, the configuration 
of S m — S n = 256 corresponds to general permutation- 
only image ciphers working in the spatial domain (without 
using hierarchical structures). As shown in [10, Sec. 4], 
three known plain-images are always enough to achieve a 
good breaking performance, and an almost perfect break¬ 
ing performance can be achieved with four plain-images, 
where the public parameters are a = 6, /? = 3, y = 3 and 
no = 9. 



Image #1 Image #2 Image #3 



Image #4 Image #5 Image #6 

Figure 1 : The six 256 X 256 test images used in the experiments. 


3.3.1. The experimental results with S m — S n = 32 

The public parameters are set as follows: a — 4, /? = 
2, y = 1 and no = 2. The cipher-images of the six test 
images are all shown in Fig. 2. When the first n = 1 ~ 
5 test images are known to the attacker, the obtained five 
decrypted images of the sixth cipher-image are shown in 
Fig. 3. As can be seen, one known plain-image cannot 
reveal much useful visual information, but two is enough to 
obtain a good performance. 



Cipher-image #1 Cipher-image #2 Cipher-image #3 



Cipher-image #4 Cipher-image #5 Cipher-image #6 

Figure 2: The cipher-images of the six 256 X 256 test images, when Sm = 
S jv = 32. 


3.3.2. The experimental results with S m — S n = 16 
The public parameters are a = 4, f3 = 2, y = 1 and 
no = 2. The cipher-images of the six test images are all 
shown in Fig. 4. When the first n = 1 ~ 5 test images 
are known to the attacker, the five decrypt images of the 
sixth cipher-image are shown in Fig. 5. As can be seen, 
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n — 4 n-5 


Figure 3: The decrypted image of Cipher-Image #6 when the first n test 
images are known to the attacker, when S m = Sn = 32. 



n — 1 ii—2 n — 3 



n — 4 ii — 5 


Figure 5: The decrypted images of Cipher-Image #6 when the first n test 
images are known to an attacker, when Sm = Sn = 16. 


even one known plain-image can reveal a rough view of the 
plain-image, and two is enough to obtain a nearly-perfect 
recovery. 




Cipher-image #1 Cipher-image #2 Cipher-image #3 



Cipher-image #4 Cipher-image #5 Cipher-image #6 


Figure 4: The cipher-images of the six 256 X 256 test images, when Sm = 
S N = 16. 


Now, let us give a performance comparison of the 
known-plaintext attack to HCIE with the above three dif¬ 
ferent configurations. Figure 6a) shows the quantitative re¬ 
lationship between the number of known plain-images and 
the decryption quality (represented by the decryption error 
ratio). It can be seen that three known plain-images are 
enough for all three configurations to achieve an acceptable 
breaking performance, and two can reveal quite a lot of pix¬ 
els (which means that most significant visual information is 
revealed). Also, it is found that the breaking performance 
is dependent on the configuration: when Sm - Sn — 16, 
the best performance is achieved, which coincides with the 


previous analysis. 

Figure 6b) shows the average cardinality of the elements 
in W, which is an indicator of the probability of getting cor¬ 
rect permutation elements in W and an indicator of the time 
complexity as analyzed above. Comparing Figures 6a) and 
6 b), one can see that the occurrence probability of decryp¬ 
tion errors has a good correspondence with the average car¬ 
dinality, where the correctness of the uniquely-determined 
permutation relationship matrix was obtained by some cho¬ 
sen plain-images and the corresponding cipher-images. 

From the above comparison, it is concluded that the se¬ 
curity of HCIE with a hierarchical structure is even weaker 
than the security of general permutation-only image en¬ 
cryption algorithms without hierarchical structures: when 
S m = S n = 32 and S m - S n = 16, two known plain- 
images are enough to achieve an acceptable breaking per¬ 
formance; while when S m — S n — 256, the breaking per¬ 
formance with two known plain-images is not satisfactory, 
thus three plain-images are needed to achieve an accept¬ 
able performance. Overall, from the viewpoint of secu¬ 
rity against known/chosen-plaintext attacks, the hierarchi¬ 
cal idea proposed in HCIE has no technical merits. 

3.4. Chosen-plaintext attack 

To discover an equivalent secret key of a common 
permutation-only image encryption scheme under the sce¬ 
nario of chosen-plaintext attack, one can construct a “com¬ 
position plain-text”, whose every element is different from 
each other [24, Sec. 5.1]. To satisfy the requirement, the 
number of the bit planes of the special chosen-text should 
be not smaller than [log 2 (M ■ N)~\. So, the number of re¬ 
quired chosen-images is 

« = rriog 2 (M.A)i/riog 2 (r)ii. 
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4. Conclusion 



a) decryption error ratio 



b) the average cardinality #(w(i, j)) 

(Legend: A- S m = S n = 256, O-S m = S n = 32,0- 
S m = Sn = 16) 


Figure 6: A performance comparison of the known-plaintext attack to 
HCIE. 

In general, T is a power of 2 in the digital domain, hence 
log 2 (r) is an integer. To this end, one has 

n = riog 2 (M ■ AO/ log 2 (701 = riog r (M ■ A01 (5) 

by referring to [25, Theorem 3.10], 

Similarly to the known-plaintext attack, the use of a hier¬ 
archical structure in HCIE can also make the construction 
of chosen plain-images easier. Accordingly, an attacker 
can work hierarchically to construct n chosen plain-images, 
/i,■ ■ ■ ifm as follows: 

• high-level: Pf t ~ Pf t , which are defined in Eq. (2), 
compose an orthogonal image set; 

• low-level: V(i, j), Pf x (i,j) ~ P/ n (i,j) compose an or¬ 
thogonal image set. 

In this case, the minimal number of required chosen plain- 
images becomes 

n = max ([log r (S M -5^)1, riog r (Z0"|) 

< \log T (M-N)], ( 6 ) 

where K = ■ jr~. The above equality holds if and only if 

the hierarchical encryption structure is disabled, i.e., when 

K e {l,M ■ N). 

As the (l + ' j~) permutation relationship matrices 

of HCIE are uniquely determined by the bit sequence 
{b(i)}f= 0 1 and the public parameters, one may recover re¬ 
versely some consecutive bits of [b(i)}f* q [26, Sec. 3.3.6], 
Furthermore, one can derive the secret key x(0) and // fol¬ 
lowing the approach given in [21, Sec.3.3.2]. 


Specific security performance of a typical permutation- 
only encryption algorithm, called HCIE, against ciphertext- 
only attack and known/chosen-plaintext attacks has been 
studied in detail. It is found that the capability of HCIE 
against the former attack was over-estimated much and hi¬ 
erarchical permutation-only image encryption algorithms 
such as HCIE are less secure than normal permutation-only 
ones without using hierarchical encryption structures. This 
work effectively demonstrates that the size of the real per¬ 
mutation domain of a permutation algorithm should be as 
large as possible in order to reach the best performance. As 
permutation operation alone cannot provide high level of 
security, it should be combined with other value substitu¬ 
tion functions. 
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